Am 10.12.2015 um 15:18 schrieb Guilhem Moulin: > On Thu, 10 Dec 2015 at 12:15:33 +0100, Jonas Meurer wrote: >> - redefine the purpose of files in conf-hooks.d to set variables that >> are made available to mkinitramfs *and* the hook scripts. > > On second thought it might not be ideal to use the same file for both, > as exporting all variable to the hooks can have unexpected side effects. > > For instance the dropbear hook changes the default UMASK value to 0077 > in order to protect the private key material (the SSH host keys). But > this variable is also used by other software to override the process's > umask(2); if it were to be set in the hooks, files within the initramfs > image might be created with the wrong permissions, which is certainly > not intended and might have unexpected side effects.
Agreed. I updated the patch to do the following: - source all files from conf-hooks.d/* at the beginning of mkinitramfs just as before (but adding the files from ${CONFDIR}/conf-hooks.d/*). - export variables from conf-hooks.d/<hook> just before the hook script hooks/<hook> is executed. This should mitigate the described side-effects. See the updated patch attached to this mail. >> # source package confs >> -for i in /usr/share/initramfs-tools/conf-hooks.d/*; do >> +for i in /usr/share/initramfs-tools/conf-hooks.d/* >> /etc/initramfs-tools/conf-hooks.d/*; do >> if [ -d "${i}" ]; then >> echo "Warning: ${i} is a directory instead of file, ignoring." >> elif [ -e "${i}" ]; then >> . "${i}" >> + hookvars="$(sed -e '/#.*$/d' -e '/^$/d' ${i} | cut -d= -f1)" >> + if [ -n "${hookvars}" ]; then >> + export ${hookvars} >> + fi >> fi >> done > > If *all* variables are accessible in *all* hooks there must be some kind > of policy to prevents collisions. For instance packages a and b > shouldn't make use the same variable OPTIONS, since the assignment in > conf-hooks.d/b would override that in conf-hooks.d/a. > > > I should also add that Jonas and I would both like to avoid the easy & > dirty solution consisting of making the package ship a configuration > file for its hook in /etc/$package/initramfs-hook and source that file > in the hook. Some cleaner organization in the fashion of /etc/default > seems like the way to go. Yep :) Cheers jonas
From af1881f4f93de499e99f37a566a79f1dee973269 Mon Sep 17 00:00:00 2001 From: Jonas Meurer <jo...@freesources.org> Date: Thu, 10 Dec 2015 16:09:54 +0100 Subject: [PATCH] mkinitramfs: export variables from conf-hooks.d includes Up to now, there was no clear api in initramfs-tools to make initramfs hook scripts configurable. Variables from conf-hooks.d include files were not available to the hook scripts due to the hooks beeing executed in sub-shells. This lead to ugly workarounds in packages that tried (and most of them: failed) to make their hook scripts configurable to the user. Now, additionally to sourcing the conf-hooks.d configuration includes, mkinitramfs exports all variables from conf-hooks.d/<hook> just before invoking the respective <hook> script. This leads to the variables from conf-hooks.d/<hook> being available to the respective <hook> script, thus providing a clear api to configure initramfs hook scripts. Additionally, the directory /etc/initramfs-tools/conf-hooks.d is introduced, meant as a place to overwrite package-provided hook configuration by local settings. Close: #807527 Signed-off-by: Jonas Meurer <jo...@freesources.org> --- debian/changelog | 13 ++++++++++++- debian/initramfs-tools-core.dirs | 1 + hook-functions | 11 +++++++++++ mkinitramfs | 2 +- 4 files changed, 25 insertions(+), 2 deletions(-) diff --git a/debian/changelog b/debian/changelog index 16e4e5f..d8adccb 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,5 +1,6 @@ initramfs-tools (0.120) unstable; urgency=medium + [ Ben Hutchings ] * [23ee5f9] Add '.log' to fsck log output file, and document its existence (Closes: #780352) * [b87e34b] Remove old comment about running shell on failure of fsck @@ -10,7 +11,17 @@ initramfs-tools (0.120) unstable; urgency=medium * [25ab961] NEWS: Add entries about other ways of mounting /usr that won't work - -- Ben Hutchings <b...@decadent.org.uk> Mon, 13 Apr 2015 01:18:06 +0100 + [ Jonas Meurer ] + * Redefine the purpose of conf-hooks.d include files (closes: #807527): + - Additional to these files beeing sourced, variables from + conf-hooks.d/<hook> are now exported before <hook> is invoked. As a + result, variables from conf-hooks.d/<hook> are now available to the + hook script hooks/<hook>. + - Add /etc/initramfs-tools/conf-hooks.d as user-configurable place + for conf-hooks.d, potentially overwriting settings from + /usr/share/initramfs-tools/conf-hooks.d. + + -- Jonas Meurer <m...@debian.org> Thu, 10 Dec 2015 15:57:12 +0100 initramfs-tools (0.119) unstable; urgency=medium diff --git a/debian/initramfs-tools-core.dirs b/debian/initramfs-tools-core.dirs index bcb978b..3098260 100644 --- a/debian/initramfs-tools-core.dirs +++ b/debian/initramfs-tools-core.dirs @@ -10,6 +10,7 @@ etc/initramfs-tools/scripts/nfs-top etc/initramfs-tools/scripts/panic etc/initramfs-tools/hooks etc/initramfs-tools/conf.d +etc/initramfs-tools/conf-hooks.d usr/share/initramfs-tools/conf.d usr/share/initramfs-tools/conf-hooks.d usr/share/initramfs-tools/modules.d diff --git a/hook-functions b/hook-functions index 93973bb..411f132 100644 --- a/hook-functions +++ b/hook-functions @@ -729,6 +729,17 @@ call_scripts() set -e for cs_x in ${runlist}; do [ -f ${initdir}/${cs_x} ] || continue + # read config file conf-hooks.d/${cs_x} if it exists + for hookconf in /usr/share/initramfs-tools/conf-hooks.d/${cs_x} ${CONFDIR}/conf-hooks.d/${cs_x}; do + [ -f ${hookconf} ] || continue + if [ "${verbose}" = "y" ]; then + echo "Reading config file conf-hooks.d/${cs_x}" + fi + hookvars="$(sed -e '/#.*$/d' -e '/^$/d' ${hookconf})" + for hookvar in ${hookvars}; do + export ${hookvar} + fi + done # mkinitramfs verbose output if [ "${verbose}" = "y" ]; then echo "Calling hook ${cs_x}" diff --git a/mkinitramfs b/mkinitramfs index b64c7fb..14c3cf7 100755 --- a/mkinitramfs +++ b/mkinitramfs @@ -82,7 +82,7 @@ for i in ${EXTRA_CONF}; do done # source package confs -for i in /usr/share/initramfs-tools/conf-hooks.d/*; do +for i in /usr/share/initramfs-tools/conf-hooks.d/* /etc/initramfs-tools/conf-hooks.d/*; do if [ -d "${i}" ]; then echo "Warning: ${i} is a directory instead of file, ignoring." elif [ -e "${i}" ]; then -- 2.5.0
signature.asc
Description: OpenPGP digital signature